To an extent, I understand the purpose of limiting permissions to just what is needed, but I don't have a complete grasp of the possible dangers of having them open. I'm most concerned with web servers.

Assume the absolute worst-case scenario of 777 permissions across the entire system. I can see that if there were a security breach, it would automatically be an escalation vulnerability. What else? This aside from the obvious which is other users on the system would have too much access.

Note: I'm not suggesting using loose permissions. I want to understand the dangers so I can better apply settings.

The worst case scenario of using 777 for file permissions on a folder or file is that if somehow a user is able to install a file (or modify an existing file) and use it to actually execute malicious code, they have gained the ability to possibly access the credentials you use for other services on your system, such as your database. All heck breaks loose then...

See this blog entry on File Permissions on web servers for more information (or just search on Google - quite a bit of evidence of what dangers exist when using loose file permissions is available).

Often the Apache server is 'owned' by
the dhapache or nobody user accounts.
These accounts have a limited amount
of access to files on the server, for
a very good reason. By setting your
personal files and folders owned by
your user account to be
World-Writable, you are literally
making them World Writable. Now the
dhapache and nobody users that run
your server, serving pages, executing
php interpreters, etc.. will have full
access to your user account files.

This provides an avenue for someone to
gain access to your files by hijacking
basically any process on your server,
this also includes any other users on
your machine. So you should think
carefully about modifying permissions
on your machine. I've never come
across anything that needed more than
767, so when you see 777 ask why its
necessary.

Users with shell access to the system would then have access to run those commands, but I'm looking more at attack vectors from the web; that is, not a user who's directly logging on (or at least, not legitimately logging on).
–
ZurahnAug 9 '10 at 0:18